modsecurity

A WAF is not a license to ignore secure coding, but it can still buy useful time and visibility. I tune rules for known attack classes and watch false positives aggressively during rollout. Managed poorly, a WAF becomes operational pain; managed well,